So before reading through the config, keep in mind I would like to have VLAN segregation for certain devices.
Thanks in advanced.
/interface bridgeus-california.privateinternetaccess.com disabled=no mrru=1600 name=
is there a more efficient way to handle the vlans to ports without using bridges, or as is my current understand, that the only feasible way?
What device is this? RB2011 or 3011?
I don’t see any switch setup which could handle VLANs much more efficiently.
oh and forgot to mention I do have the vlans also on a switch attached to the rb2011, a Cisco SG300, I have that trunking a port to the rb2011, and primarily doing most of the true routing functions of the vlans on the rb2011, as opposed to the SG300, though there is mild L3 routing features on it.
djronin47:
its an rb2011
Don’t know about too complicated. Depends on what all your needs are.
A couple things I might recommend:http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
You’re also using Fasttrack while you’re doing mangling which doesn’t work well (once fasttracked, packets bypass mangles and filters!) unless you exclude those connections. I’ve changed my fasttrack forward to this:
add action=fasttrack-connection chain=forward comment="Fasttrack bypass queue's cpu saver" connection-mark=no-mark connection-state=established,related routing-table=main
Also fasttrack doesn’t work in the input chain, so you should remove that.
thanks for the response. I’ll give that a try.
I had attempted before to get at least on switch1 a few of the ports that I have devices direct connected to using switching but must have done it wrong.
I am incredibly used to doing things the ‘cisco’ way, as that is part of my day job.
in addition I noticed when disabling fasttrack my performance for my WAN diminishing with current config.
I get about 300-340Mbps down, and about 30-35Mbps up
with fasttrack I get the higher numbers respective to both, without closer to the lower numbers or slightly less
Yes, fasttrack can make quite an improvement. My rule doesn’t disable it for most traffic, just for connections that are being mangled.
Oddly while the ‘normal’ fasttrack rule didn’t seem to completely break all my mangled connections, it did seem to slow them down quite a bit and incoming were even worse than outgoing with disconnects.
I have one set of mangles that goes thru a PIA connection ran on a dd-wrt box and another thru a static IP pptp client connection on the router for SMTP email and incoming DNS. Since this traffic is small (for me) bypassing fasttrack for just these connections works well. All other connections get fasttracked normally.
Might you have a quick example of the switch side of things so I can at least test against one port successfully?
I tried this, but feel I’m missing something.
/interface ethernet switch port
set 2 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3 switch=switch1 vlan-id=1
I use my RB2011 as a switch with a management ip obtained thru dhcp-client from vlan3. So it uses all ports as a swtich in two groups bridged with the sfp port being my trunk. It’s also my master-port, but doesn’t have to be the same.
It should give you a decent example of how to set up the switch though. You just need to setup more vlans on the bridge interface and leave your wan off the switch group.
/interface ethernet
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6 name=ether10--cams-WolfEye5
set [ find default-name=sfp1 ] name=sfp1-uplink
/interface bridge
add admin-mac=D4:CA:6D:97:!!:!! auto-mac=no name=bridge1
/interface vlan
add interface=bridge1 l2mtu=1594 name=36Dog vlan-id=3
/interface ethernet
set [ find default-name=ether1 ] master-port=sfp1-uplink
set [ find default-name=ether2 ] master-port=sfp1-uplink
set [ find default-name=ether3 ] master-port=sfp1-uplink
set [ find default-name=ether4 ] master-port=sfp1-uplink
set [ find default-name=ether5 ] master-port=sfp1-uplink
/interface ethernet switch port
set 0 default-vlan-id=3999 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 9 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 10 default-vlan-id=8 vlan-header=always-strip vlan-mode=secure
set 11 vlan-mode=secure
set 12 vlan-mode=secure
/interface bridge port
add bridge=bridge1 interface=sfp1-uplink
add bridge=bridge1 interface=ether6
/ip settings
set ip-forward=no
/interface ethernet switch vlan
add independent-learning=no ports=sfp1-uplink,ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 \
vlan-id=3
add ports=ether6,ether7,ether8,ether9,switch2-cpu switch=switch2 vlan-id=3
add independent-learning=no ports=sfp1-uplink,switch1-cpu switch=switch1 vlan-id=8
add ports=ether10--cams-WolfEye5,switch2-cpu switch=switch2 vlan-id=8
add independent-learning=no ports=sfp1-uplink,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=sfp1-uplink,switch1-cpu switch=switch1 vlan-id=11
add ports=ether6,switch2-cpu switch=switch2 vlan-id=10
add ports=ether7,switch2-cpu switch=switch2 vlan-id=11
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=36Dog
In the switch menu switch1-cpu represents the master-port in the rest of RoS. You’ll need to give it access to the vlan as well and may need to set the vlan mode on switch1-cpu to something other than disabled.
I suppose I should clarify a little better as I’m wondering if having the bridge is the only way I can do things, with the setup I have.
I have the rb2011 → cisco sg300, off of the sg300 I have two additional switches, both of which are doing 802.1q trunking, and are attached to two different ports on the sg300.
On the sg300, and the two other managed switches I am using MSTP/RSTP.
As is my understanding, and have found no way to do it in the rb2011 other than to bridge, to get STP of any kind, would it not make more sense?
Granted the other switches in no way could cause a loop back event. The are serving different devices in different rooms.
I hope this clarifies the situation better.
However, if in this case, not having STP at the switching layer is not required on the RB2011 that would be fine as well.
So in an effort to get switching working better, and to slightly simplify things in the event that the rb2011 ever croaks, I removed bridging from interfaces as a whole, moved a few devices off of it, and onto a switch.
The current config is as follows:
/interface bridge
add disabled=yes name=lan-bridge
add disabled=yes name=media-bridge
add disabled=yes name=security-bridge
add disabled=yes name=wifi-bridge
/interface ethernet
set [ find default-name=ether1 ] comment="primary WAN" mac-address=00:1B:21:80:EE:2E
set [ find default-name=ether2 ] comment="primary LAN/VLAN trunk"
set [ find default-name=ether3 ] comment=meraki
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] comment=laptop disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] comment=ooma poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface pptp-client
add allow=mschap2 comment="PIA Cali VPN PPTP Tunnel" connect-to=us-california.privateinternetaccess.com disabled=\
no mrru=1600 name=pptp-PIA-Cali user=XXXXXXXXX
/ip neighbor discovery
set ether1 comment="primary WAN"
set ether2 comment="primary LAN/VLAN trunk"
set ether3 comment=meraki discover=no
set ether4 discover=no
set ether5 discover=no
set ether6 discover=no
set ether7 discover=no
set ether8 comment=laptop discover=no
set ether9 discover=no
set ether10 comment=ooma discover=no
set sfp1 discover=no
set lan-bridge discover=no
set media-bridge discover=no
set pptp-PIA-Cali comment="PIA Cali VPN PPTP Tunnel" discover=no
set security-bridge discover=no
set wifi-bridge discover=no
/interface vlan
add interface=ether2 l2mtu=1594 name=lan-vlan vlan-id=1
add interface=ether2 l2mtu=1594 name=media-vlan vlan-id=5
add interface=ether2 l2mtu=1594 name=security-vlan vlan-id=6
add interface=ether2 l2mtu=1594 name=wifi-vlan vlan-id=4
/ip neighbor discovery
set lan-vlan discover=no
set media-vlan discover=no
set security-vlan discover=no
set wifi-vlan discover=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp-lan-pool ranges=192.168.0.100-192.168.0.150
add name=dhcp-wifi-pool ranges=192.168.4.100-192.168.4.150
add name=dhcp-media-pool ranges=192.168.5.100-192.168.5.150
add name=dhcp-security-pool ranges=192.168.6.100-192.168.6.150
add name=dhcp-phone-pool ranges=192.168.250.100-192.168.250.150
add name="LT2P/IPSec Pool" ranges=192.168.1.50-192.168.1.100
add name=dhcp-work-pool ranges=192.168.100.100-192.168.100.150
/ip dhcp-server
add address-pool=dhcp-lan-pool always-broadcast=yes disabled=no interface=lan-vlan lease-time=1d name=dhcp-lan
add address-pool=dhcp-wifi-pool always-broadcast=yes disabled=no interface=wifi-vlan lease-time=1d name=dhcp-wifi
add address-pool=dhcp-security-pool always-broadcast=yes disabled=no interface=security-vlan lease-time=1d name=\
dhcp-security
add address-pool=dhcp-media-pool always-broadcast=yes disabled=no interface=media-vlan lease-time=1d name=\
dhcp-media
add address-pool=dhcp-phone-pool always-broadcast=yes disabled=no interface=ether10 lease-time=1d name=dhcp-phone
add address-pool=dhcp-work-pool disabled=no interface=ether3 name=dhcp-work
/ppp profile
add local-address=192.168.1.1 name=LT2P/IPSec remote-address="LT2P/IPSec Pool" use-encryption=yes
/routing bgp instance
set default as=65512 disabled=yes
/routing ospf area
set [ find default=yes ] disabled=yes
/routing ospf instance
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=media-bridge disabled=yes interface=media-vlan
add bridge=security-bridge disabled=yes interface=security-vlan
add bridge=wifi-bridge disabled=yes interface=wifi-vlan
add bridge=lan-bridge disabled=yes interface=lan-vlan
add bridge=lan-bridge disabled=yes interface=ether8
/ip firewall connection tracking
set tcp-established-timeout=2h
/ip settings
set accept-source-route=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=LT2P/IPSec enabled=yes use-ipsec=yes
/ip address
add address=192.168.0.1/24 comment="default LAN" interface=lan-vlan network=192.168.0.0
add address=192.168.5.1/24 comment="media LAN" interface=media-vlan network=192.168.5.0
add address=192.168.6.1/24 comment="security LAN" interface=security-vlan network=192.168.6.0
add address=192.168.4.1/24 comment="wifi LAN" interface=wifi-vlan network=192.168.4.0
add address=192.168.250.1/24 comment=phone interface=ether10 network=192.168.250.0
add address=192.168.1.1/24 comment="l2tp range" interface=ether2 network=192.168.1.0
add address=192.168.100.1/24 comment=meraki interface=ether3 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.4.101 client-id=chromecast comment=Chromecast mac-address=D0:E7:82:DA:5F:18 server=dhcp-wifi
add address=192.168.4.11 client-id=nexus mac-address=08:60:6E:A6:79:AF server=dhcp-wifi
add address=192.168.4.147 always-broadcast=yes client-id=r47 comment="my laptop" mac-address=48:EE:0C:70:64:DE \
server=dhcp-wifi
add address=192.168.4.4 client-id=retropie mac-address=00:0F:60:03:F4:05 server=dhcp-wifi
add address=192.168.0.67 client-id=jules-pc2 mac-address=00:30:67:68:BD:43 server=dhcp-lan
add address=192.168.4.150 always-broadcast=yes client-id=1:8:86:3b:c3:48:45 comment="wemo switch" mac-address=\
08:86:3B:C3:48:45 server=dhcp-wifi
add address=192.168.4.30 client-id=1:ac:18:26:44:c4:bb comment="epson printer" mac-address=AC:18:26:44:C4:BB \
server=dhcp-wifi
add address=192.168.5.3 client-id=1:0:15:c1:d1:52:fe comment=ps3 mac-address=00:15:C1:D1:52:FE server=dhcp-media
add address=192.168.6.77 client-id=1:28:10:7b:11:9d:be comment=r47door1 mac-address=28:10:7B:11:9D:BE server=\
dhcp-security
add address=192.168.4.104 always-broadcast=yes client-id=1:a4:31:35:a4:e6:ef comment="jules ipod" mac-address=\
A4:31:35:A4:E6:EF server=dhcp-wifi use-src-mac=yes
add address=192.168.4.100 client-id=1:d0:df:9a:8e:4b:2b comment="jules laptop" mac-address=D0:DF:9A:8E:4B:2B \
server=dhcp-wifi
add address=192.168.4.103 always-broadcast=yes client-id=1:34:36:3b:36:c7:58 mac-address=34:36:3B:36:C7:58 server=\
dhcp-wifi
add address=192.168.250.149 comment=ooma mac-address=00:18:61:22:18:FF server=dhcp-phone
add address=192.168.6.149 comment=iris mac-address=00:1C:2B:04:75:34 server=dhcp-security
add address=192.168.4.105 client-id=1:80:1:84:f2:1e:ca comment="htc one a9" mac-address=80:01:84:F2:1E:CA server=\
dhcp-wifi
add address=192.168.4.102 always-broadcast=yes client-id=1:18:b4:30:2a:6c:a comment=nest mac-address=\
18:B4:30:2A:6C:0A server=dhcp-wifi
add address=192.168.0.222 client-id=1:4c:5e:c:7e:dd:2a comment=rb750 mac-address=4C:5E:0C:7E:DD:2A server=dhcp-lan
add address=192.168.100.100 client-id=1:0:18:a:16:97:dd mac-address=00:18:0A:16:97:DD server=dhcp-work
/ip dhcp-server network
add address=192.168.0.0/24 comment=lan dns-server=192.168.0.1 domain=local gateway=192.168.0.1 netmask=24
add address=192.168.4.0/24 comment=wifi dns-server=192.168.0.1 domain=local gateway=192.168.4.1 netmask=24
add address=192.168.5.0/24 comment=media dns-server=192.168.0.1 domain=local gateway=192.168.5.1 netmask=24
add address=192.168.6.0/24 comment=security dns-server=192.168.0.1 domain=local gateway=192.168.6.1 netmask=24
add address=192.168.100.0/24 comment=work dns-server=192.168.0.1 domain=local gateway=192.168.100.1 netmask=24
add address=192.168.250.0/24 comment=phone dns-server=192.168.0.1 domain=local gateway=192.168.250.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=4h servers=192.168.0.1,208.67.220.220
/ip dns static
add address=192.168.250.1 name=mikrotik
add address=69.36.66.1 name=allconnectedfw
add address=192.168.0.47 name=zeus.local
add address=192.168.0.46 name=kronos.local
add address=192.168.0.30 name=qnap.local
add address=192.168.0.66 name=athena.local
add address=192.168.0.222 name=mikrotikrb750.local
add address=192.168.0.201 name=ngswent.local
add address=192.168.0.200 name=ngswlab.local
add address=192.168.0.14 name=pi.local
add address=192.168.0.250 name=r47wifi.local
add address=192.168.0.15 name=retropie.local
add address=192.168.0.254 name=sg300.local
add address=64.250.230.254 name=vegasdc
add address=192.168.100.100 name=meraki.local
add address=192.168.200.50 name=pilab.local
add address=192.168.0.50 name=usrv.local
add address=192.168.4.30 name=epson.local
add address=192.168.0.151 name=slice1.local
add address=192.168.0.152 name=slice2.local
add address=192.168.0.153 name=slice3.local
add address=192.168.0.154 name=slice4.local
add address=192.168.4.105 name=htc.local
add address=192.168.0.77 name=vm.local
add address=192.168.0.99 name=monitor.local
/ip firewall address-list
add address=192.168.0.0/16 list=mikrotik-access
add address=192.168.0.47 disabled=yes list="VPN Users"
add address=192.168.0.46 disabled=yes list="VPN Users"
add address=192.168.0.14 disabled=yes list="VPN Users"
add address=192.168.100.100 disabled=yes list="VPN Users"
add address=192.168.100.100 disabled=yes list=Mekari
/ip firewall filter
add action=drop chain=input comment="drop invalid input" connection-state=invalid
add action=fasttrack-connection chain=input comment="primary fasttrack" disabled=yes
add action=fasttrack-connection chain=forward comment="primary fasttrack" connection-state=established,related \
packet-mark=no-mark routing-table=main
add chain=input connection-state=established
add chain=forward connection-state=established,related
add action=drop chain=forward comment="drop invalid forward" connection-state=invalid in-interface=ether1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
"port scanners to list" in-interface=ether1 psd=21,3s,3,1
add action=drop chain=input comment="deny outside ping" in-interface=ether1 protocol=icmp
add chain=input in-interface=!ether1 src-address=192.168.0.0/16
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=1701 protocol=udp
add action=drop chain=input comment="drop all other input"
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark="PIA VPN route mark" src-address-list="VPN Users"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="PIA Masq" out-interface=pptp-PIA-Cali
add chain=dstnat disabled=yes dst-address=192.168.0.47 dst-port=22 in-interface=ether1 protocol=tcp src-port=7822
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set anonymous=yes
/ip route
add distance=1 gateway=pptp-PIA-Cali routing-mark="PIA VPN route mark"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh address=192.168.0.0/16
set api address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16
/lcd
set color-scheme=light enabled=no touch-screen=disabled
/mpls interface
set [ find default=yes ] disabled=yes
/ppp secret
add name=ronin profile=LT2P/IPSec service=l2tp
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=rb2011
/system ntp client
set enabled=yes primary-ntp=204.2.134.163 secondary-ntp=67.198.37.16
/system routerboard settings
set silent-boot=yes